Glossary

What Is DORA Compliance?

Q: Which organizations are subject to DORA?

DORA applies to EU financial entities, including banks, insurers, investment firms, payment providers, and certain critical ICT suppliers supporting them.

Q: Do tabletop exercises satisfy DORA’s resilience testing requirements?

Tabletop exercises are a recognized component of scenario-based resilience testing. Significant entities may also need more advanced forms of testing such as threat-led penetration testing.

DORA (Digital Operational Resilience Act) is an EU regulation that requires financial entities and their critical ICT suppliers to implement operational resilience frameworks covering ICT risk management, resilience testing, incident reporting, and third-party oversight. DORA entered into force in January 2025, with supervisory review beginning in January 2026.

See How Opsbook Works → ← Back to Glossary

Key Elements of DORA Compliance

Documented ICT risk management policies, controls, and accountability
Regular resilience testing, including scenario-based testing and advanced testing where required
Structured incident reporting for major ICT incidents
Third-party risk management and due diligence for critical ICT providers
Management review and remediation tracking following resilience tests

Why DORA Matters for Financial Services Leaders

DORA makes resilience a board-level operational issue, not just an IT issue. It expects organizations to show that critical digital services can continue under stress and that resilience testing produces actual management action.

For CISOs, BC/DR leaders, and GRC teams, that means resilience programs must become measurable, documented, and repeatable—not just occasional exercises run for audit season.

DORA and Regulatory Requirements

DORA is explicit about resilience testing, management review, third-party oversight, and remediation. It is part of a broader trend in which regulators want proof that organizations can withstand disruption, not simply policies asserting they will.

Scenario-based exercises are particularly useful because they test cross-functional decision-making, which is often where operational resilience succeeds or fails in real incidents.

See how DORA applies in practice: Financial Services

How Opsbook Helps with DORA Compliance

Opsbook gives financial services teams a repeatable way to run resilience tests, document results, and track remediation actions through completion.

That means scenario records, role participation, after-action reports, and action tracking can all be packaged as evidence instead of recreated manually after the fact.

See How Opsbook Works →

Frequently Asked Questions

Which organizations are subject to DORA?

DORA applies to EU financial entities and also creates oversight implications for certain critical ICT providers serving them.

When did DORA come into effect?

DORA entered into force in January 2025, with supervisory review beginning in January 2026.

Do tabletop exercises satisfy DORA’s resilience testing requirements?

They are an important part of scenario-based resilience testing, though some organizations may also need more advanced testing depending on scope and risk profile.

What documentation does DORA require from resilience testing?

At a minimum, organizations need records of testing, documented findings, management review, and tracked remediation actions.

Related Terms

Ready to put DORA-aligned resilience testing into practice?

Run repeatable tests, produce audit-ready evidence, and track remediation without manual overhead.

Book a Demo →